More Breaches, Fewer Lost Records?

I am the first person to admit that I am not a math person (ask my bank teller how many times she's had to correct my addition). But even I was stumped by the headline that announced data breaches are up but lost records are down. That's according to Verizon's data breach investigation.

With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history.

While there were 760 data breaches recorded by Verizon and the U.S. Secret Service in 2010 (up from about 140 in 2009), there were only 4 million compromised records involved (way down from 144 million in 2009), according to the Verizon 2011 Data Breach Investigations Report scheduled to be released on Tuesday. The figures represent both a record high number of incidents and a record low records lost amount for any of the seven years Verizon has been keeping track.

The way a Verizon spokesperson explained it, while the data breach numbers have gone up, the hackers were targeting smaller companies with fewer records.

The CNET article quoted Alex Hutton, principal for research and intelligence at Verizon:

There has been a shift in the threat landscape, and organized crime is targeting medium to small-sized businesses in the U.S. What we're seeing is the bad guys exploiting people who haven't taken basic security considerations into account in their small business. An attacker is running an automated attack, basically looking for people who have let their guards down. They are introducing malware into the environment, and if it's credit cards they are after they'll just scoop up a handful at a time.

Again, the study covered 2010. It will be very interesting to see how next year's report compares in numbers. But I think what the Verizon report shows is just how quickly the threat landscape changes and what held true six months ago may not necessarily hold true today or tomorrow.